Fixes #21 Exclude admin_url() from being rewritten

[engahmeds3ed]

Here we need to exclude admin_url in srcset from being rewritten by the CDN url not to cause the logout problem.

The problem

When Jetpack plugin is installed, it adds an image for stats in the adminbar in front pages which has the following HTML

<img src="https://www.xxx.com/wp-admin/admin.php?page=stats&amp;noheader&amp;proxy&amp;chart=admin-bar-hours-scale" srcset="https://www.xxx.com/wp-admin/admin.php?page=stats&amp;noheader&amp;proxy&amp;chart=admin-bar-hours-scale 1x, https://www.xxx.com/wp-admin/admin.php?page=stats&amp;noheader&amp;proxy&amp;chart=admin-bar-hours-scale-2x 2x" width="112" height="24" alt="Stats" title="Views over 48 hours. Click for more Site Stats.">

and when we change the srcset for this image, it's converted to this one

<img src="https://www.xxx.com/wp-admin/admin.php?page=stats&amp;noheader&amp;proxy&amp;chart=admin-bar-hours-scale" srcset="https://xxx.rocketcdn.me/wp-admin/admin.php?page=stats&amp;noheader&amp;proxy&amp;chart=admin-bar-hours-scale 1x, https://xxx.rocketcdn.me/wp-admin/admin.php?page=stats&amp;noheader&amp;proxy&amp;chart=admin-bar-hours-scale-2x 2x" width="112" height="24" alt="Stats" title="Views over 48 hours. Click for more Site Stats.">

and I believe this will force logout when the pages tries to load this img

https://xxx.rocketcdn.me/wp-admin/admin.php?page=stats&noheader&proxy&chart=admin-bar-hours-scale

because it will redirect you to the

https://www.xxx.com/wp-admin/admin.php?page=stats&noheader&proxy&chart=admin-bar-hours-scale

but the referrer will be from the CDN url so it forces logout.

The Solution

Would be to exclude the urls that have wp-admin OR admin_url on it.

[Tabrisrp]

Can you explain what was happening and the choice for the fix?

[engahmeds3ed]

Can you explain what was happening and the choice for the fix?

I updated the PR's description with more details and connected it to the issue.

[Tabrisrp]

What do you think of moving this check to the rewrite_url() method instead, so that we make sure we never change the URL of anything that is from the admin? This will still cover the srcset case, but also other potential future cases.

[engahmeds3ed]

What do you think of moving this check to the rewrite_url() method instead, so that we make sure we never change the URL of anything that is from the admin? This will still cover the srcset case, but also other potential future cases.

Good idea, fixed.